Apache Fixes Range Header Flaw, Again 21
Trailrunner7 writes "Two weeks after releasing a fix for the range-header denial-of-service flaw that was much-discussed on security forums and mailing lists, the Apache Software Foundation has pushed out another version of its popular Web server that includes a further fix for the same flaw. Apache 2.2.21 has a patch for the CVE-2011-3192 vulnerability that the group previously fixed in late August with the release of version 2.2.20. The vulnerability is an old one that recently resurfaced after a researcher published an advisory on a modified version of the bug and also released a tool capable of exploiting the vulnerability."
Quick fixes (Score:3, Insightful)
Compare this to Microsoft's one patch day a month policy which is rarely if ever varied.
Re: (Score:1, Flamebait)
Re: (Score:2, Funny)
meh, it's open source, why should you wait for apache to fix it for you? You can fix it yourself.
I set up apache on my grandmother's linux computer so she can share photos over webdav (she likes to gimp her pictures). I stopped by a couple days ago to update apache but to my surprise, she had already heard about the bug, downloaded the source code, got a master's degree in computer science, and fixed it herself.
Re: (Score:2)
Re: (Score:2)
WHOOOOOOOSH!
Re: (Score:2)
Re: (Score:1)
I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
I think their response has been more than reasonable, given the actual flaw is a somewhat vaguely worded paragraph in the HTTP RFC regarding multiple requested ranges and how they should be treated. Sometimes the real bug is inherent to the protocol, and all vendors need to work together to seek a sensible remedy.
Re: (Score:2)
So what you're saying is "Le mieux est l'ennemi du bien"?
2.0.65? (Score:2)
Nice.
I hope the one for 2.0.64 comes out soon... but at the same time I'm glad the 2.2 guys are the guinea pigs seeing regressions and not us :).
Re: (Score:2)
More people are running 1.3 than 2.0 now. Going from 1.3 to 2.2 with a custom module sometimes means a rewrite but going from 2.0 to 2.2 tends to be updating a few elements in some structures.
Re: (Score:2)